Bug 244193 - JSC DFG Int8Array constructor should throw an exception when the parameter is illegal.
Summary: JSC DFG Int8Array constructor should throw an exception when the parameter is...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-08-22 04:04 PDT by EntryHi
Modified: 2022-08-29 04:05 PDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description EntryHi 2022-08-22 04:04:54 PDT 
let counta = 0
let countb = 0

function ftlFunction(callee) {
  callee("hello"); 
  counta++
}

ftlFunction(Math.abs);

for (var i = 0; i < 1000; ++i) {
  try {
    ftlFunction(Int8Array);
  } catch (e) {
    countb++
  }
}
print(counta, countb)

With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=1

Int8Array("hello") should throw an exception. But in JIT, it does not throw an exception.
The problem is in DFGBytecodeParser, the bytecode call is directly inlined as NewTypedArray node. In this way, Int8Array("hello") generate a typedArray instead of throwing an exception.

The execution trace is handleCall -> handleInlining -> handleCallVariant -> handleConstantInternalFunction -> handleTypedArrayConstructor in DFGByteCodeParser.cpp.
Comment 1 Radar WebKit Bug Importer 2022-08-29 04:05:18 PDT 
<rdar://problem/99270956>